Discuss mailing list

[Zach Gibbens <infocop411 AT gmail.com>]

Been trying to apply a different concept to opennic, been studying
DNSCrypt http://www.opendns.com/technology/dnscrypt/
and working out how to apply it to opennic, one issue with ssh is port
22 is commonly blocked/filtered/meddled with (in comparison to port
443) I've found 5 hotspots that outright blocked port 22, and my
college was nearly the same way.

I've got my server set to listen to both, and every time 443 is fine
(and it seems most dpi setups mistake ssh for ssl streams anyhow)
but this takes it a step further, by making it simply a ssl tunnel to
a dns server (I'm personally not worried about authentication at this
moment, as client setup & dnssec should account for most of those
concerns at the present)

On Sat, Dec 17, 2011 at 1:41 AM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
> Due to some ISPs meddling with user's DNS queries, some people have tried
> alternate connection methods to obtain OpenNic DNS queries.  From this was
> born the use of port 5353 (available on a few of the T2 servers), which so
> far has resolved the issue for those who need it.  However this will not
> always be the case, as many locations are already using packet inspection to
> filter the information.
>
> Taking this to the next step, I would like to suggest we start testing out
> dns-over-ssh.  The server side would be set up to accept logins on port 5322
> (dns/ssh) using a public RSA key, and accept the queries via that port.  The
> client side would create an ssh tunnel with a fifo to pipe the DNS queries
> over SSH.  This is fairly easy from linux using ssh and socat, however
> someone else would need to do the research on methods to do this in Windows.
>  The nice thing about an SSH tunnel is that it eliminates the need for any
> other special software -- once the tunnel is in place, all DNS queries from
> all of your software will automatically be piped through the tunnel to the
> destination of your choice.
>
> This could open up OpenNic to areas that have previously been blocked by
> company or country-wide firewalls - for instance allowing someone in China
> to set up a T2 server that could freely obtain the updated zones from other
> locations via the ssh tunnel.  Servers could control access to their DNS by
> only accepting ssh connections from users who have the RSA key.  Creating
> these tunnels allows us to build customized security measures on both the
> server and client side, designed around the specific needs of each case.
>
> Anyway, I thought I would put the idea out there.  Hopefully there is some
> interest in the concept.
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss